Cyware Daily Threat Intelligence - July 10, 2026

Attackers are turning destructive malware into multi-pronged weapons, with new toolkits like GigaWiper blending disk wiping, file encryption, and system sabotage to maximize operational disruption. Microsoft Threat Intelligence has tracked this threat since October 2025, noting its use of 20 distinct commands and command-and-control channels built on RabbitMQ and Redis. Cyware highlights the immediate risk of downtime and data loss for organizations caught unprepared.
Ransomware crews are exploiting critical vulnerabilities in enterprise infrastructure, with CVE-2025-5777 in Citrix NetScaler serving as a gateway for session hijacking and full network shutdowns. Huntress reports attackers leveraging memory leaks and registry tricks to escalate privileges and deploy Dragonforce ransomware, leaving organizations vulnerable to repeated intrusions even after initial containment.
Threat actors are scaling up phishing and supply-chain attacks, with platforms like Forg365 automating Microsoft 365 account takeovers and campaigns like Muck and Load poisoning over 222 GitHub repositories. As cyware.com tracks these developments, defenders face a landscape where a single malicious package or phishing email can compromise entire organizations.
Top Malware Reported in the Last 24 Hours
GigaWiper backdoor blends wiping and encryption
GigaWiper is a modular destructive backdoor that combines disk wiping, file encryption, and system-level sabotage. GigaWiper incorporates elements from other malware families, including Crucio ransomware and FlockWiper, to expand its destructive capabilities. GigaWiper executes a command-driven playbook with 20 commands, such as disk wiping, system disruption, and file encryption. GigaWiper uses command-and-control infrastructure built on RabbitMQ and Redis to deliver instructions and payloads. GigaWiper is delivered post-compromise in environments already under attacker control. GigaWiper targets organizations across sectors, with the immediate risk being operational downtime and data loss. Microsoft Threat Intelligence has tracked GigaWiper activity since October 2025.
Odyssey Stealer swaps wallets for drainers
Odyssey Stealer is a macOS infostealer campaign that targets cryptocurrency users by replacing legitimate wallet apps with drainer trojans. Odyssey Stealer steals browser passwords, cookies, autofill data, SSH keys, and cloud configuration files using AppleScript loaders triggered by fake CAPTCHA pages. Odyssey Stealer maintains persistence through LaunchDaemons and a nohup-style loop, making removal difficult. Odyssey Stealer is distributed as a Malware-as-a-Service program with an affiliate-accessible admin panel and builder for custom variants. Odyssey Stealer targets developers, admins, crypto traders, and executives in over 100 countries, leading to emptied wallets and compromised work and cloud accounts. Researchers recommend monitoring for unexpected application swaps and anomalous osascript usage.
Braintree.Net NuGet implant steals card data
Braintree[.]Net is a malicious NuGet package that impersonates the official Braintree .NET client and installs a multi-stage implant to steal payment card data, merchant credentials, and host secrets. Braintree[.]Net increases its visibility by padding download counts across 120 throwaway versions and leverages a transitive dependency called DependencyInjector.Core. Braintree[.]Net exfiltrates merchant API credentials via the BraintreeGateway.PrivateKey setter and logs payment card details through a CardOperationLogger component. Braintree[.]Net is distributed through NuGet and can reach victims via direct or transitive dependencies. Braintree[.]Net targets businesses processing payments, exposing cardholder data and merchant keys to fraud and account takeover. Researchers flagged Braintree[.]Net shortly after its July 3, 2026 release and reported it to NuGet for removal and publisher suspension.
Top Vulnerabilities Reported in Last 24 hours
Ransomware crews abuse Citrix NetScaler sessions (CVE-2025-5777)
CVE-2025-5777 is a session hijacking vulnerability in Citrix NetScaler exploited to deploy Dragonforce ransomware. Successful exploitation allows attackers to hijack sessions, escalate privileges to SYSTEM, and create rogue admin accounts, resulting in full network shutdowns. CVE-2025-5777 is actively exploited in the wild. Huntress links the activity to Initial Access Brokers using malformed login requests and token theft/replay in LDAP with MFA environments. Mitigation includes auditing for rogue admin accounts and remote-access tools such as ScreenConnect, Zoho Assist, and Netbird/Atera, as persistence can remain after initial containment.
OpenPLC bug could enable ICS takeover (CVE-2026-14480)
CVE-2026-14480 is an arbitrary file write vulnerability in OpenPLC v3 (CVSS v3.1 9.9; CVSS v4.0 8.7) that allows authenticated attackers to run arbitrary code. Exploitation can result in manipulated or disrupted industrial processes. No public exploitation has been reported. The advisory credits Grady DeRosa for reporting the issue to CISA. Mitigation involves restricting access to the legacy web UI and monitoring for unauthorized .cpp file uploads to the runtime core directory. Critical manufacturing, energy, transportation, and water organizations are at risk of unsafe operations and downtime.
Hitachi Energy EMS exposed to NGINX overflow (CVE-2026-42945)
CVE-2026-42945 is a critical buffer overflow in Hitachi Energy e-mesh EMS that can allow denial of service or arbitrary code execution. Crafted HTTP requests can trigger a heap-based overflow in the ngx_http_rewrite_module, potentially interrupting energy management operations. No active exploitation has been reported. CISA published the advisory and recommends updating NGINX to 1.30.2 or later, ensuring rewrite configurations do not contain "?", and activating ASLR (value=2) across deployment targets. The vulnerability affects organizations relying on Hitachi Energy EMS for critical infrastructure.
Top Threat Actors Reported in Last 24 hours
Forg365 turns AI into M365 phishing
Forg365 is a suspected cybercrime group operating a phishing-as-a-service platform to compromise Microsoft 365 accounts. Forg365 integrates AI-assisted email writing into its dashboard to accelerate campaign creation and iteration. Forg365 leverages device-code phishing to trick victims into authorizing attacker-controlled devices via OAuth 2.0 flows, and supports adversary-in-the-middle phishing to capture session cookies. Forg365 targets organizations seeking to protect mailbox integrity, with successful logins enabling mailbox surveillance and business disruption. Forg365’s tooling includes a ForgCookie extension for account data theft and an AntiBot layer with AES-encrypted redirectors, bot detection, debugger traps, sandbox checks, and polymorphic code. The platform’s features frustrate analysis and takedowns.
Muck and Load poisons Go packages
Muck and Load is a suspected cybercrime operation distributing malware via 222 GitHub repositories masquerading as legitimate Go packages. Muck and Load uses GitHub Actions workflows and synthetic commit activity to make projects appear maintained, luring users searching for cryptocurrency and Web3 tooling. Muck and Load targets developers and teams that pull untrusted code, turning package discovery into a supply-chain risk. The campaign’s payload chain starts with a PowerShell script (L.ps1) that retrieves content from Pastebin and Telegram, applies Base64 encoding and XOR decryption, and unpacks a password-protected .7z archive containing the final malware. Muck and Load’s activity can spill into corporate environments through routine development workflows.
Frequently Asked Questions
What is GigaWiper? GigaWiper is a modular destructive backdoor that blends disk wiping, file encryption, and system-level sabotage into one toolkit, and Microsoft Threat Intelligence says it has been active in compromised environments since October 2025. It mixes in elements from other malware families, including Crucio ransomware and FlockWiper, to broaden the damage it can inflict once attackers have control.
What is Odyssey Stealer? Odyssey Stealer is a macOS infostealer campaign that targets cryptocurrency users by replacing legitimate wallet apps with drainer trojans, with activity reported across over 100 countries. It uses a “ClickFix” lure that sends victims to fake CAPTCHA pages that run AppleScript loaders, then it steals browser passwords, cookies, and autofill data alongside SSH keys and cloud configuration files.
What is Braintree[.]Net? Braintree[.]Net is a malicious NuGet package that masquerades as the official Braintree .NET client, mirroring the real SDK’s API while quietly installing a multi-stage implant designed to steal payment card data, merchant credentials, and host secrets. It boosts its apparent popularity by padding download counts across 120 throwaway versions and can broaden reach through a transitive dependency called DependencyInjector.Core.
What is CVE-2025-5777? Attackers are exploiting a Citrix NetScaler flaw known as CitrixBleed 2 (CVE-2025-5777) to break into organizations and ultimately deploy Dragonforce ransomware, turning a single exposed access point into a full network shutdown. Huntress describes a chain that starts with session hijacking via a memory leak, then escalates privileges to SYSTEM using registry symbolic links, before attackers create rogue admin accounts and push ransomware.
What is CVE-2026-14480? A critical flaw in OpenPLC v3 (CVE-2026-14480, CVSS v3.1 9.9; CVSS v4.0 8.7) can let an authenticated attacker run arbitrary code, raising the risk of manipulated or disrupted industrial processes. The issue is an arbitrary file write in the legacy web UI’s program-upload workflow (CWE-73), where an attacker can steer files into sensitive locations and turn that write into execution.
What is CVE-2026-42945? A critical buffer overflow in Hitachi Energy e-mesh EMS (CVE-2026-42945) could allow denial of service or, in some environments, arbitrary code execution—an outcome that can interrupt energy management operations. The flaw sits in the product’s use of NGINX, where crafted HTTP requests can trigger a heap-based overflow in the ngx_http_rewrite_module.
What is Forg365? Forg365 is a phishing-as-a-service platform built to compromise Microsoft 365 accounts, and it bakes AI-assisted email writing directly into its operator dashboard to speed up campaign creation and iteration. The group behind the platform leans on device-code phishing to trick victims into authorizing attacker-controlled devices through legitimate OAuth 2.0 flows, and also supports adversary-in-the-middle (AiTM) phishing to capture session cookies.
What is Muck and Load? The Muck and Load operation is a GitHub-centered malware distribution campaign built around 222 repositories that masquerade as legitimate Go packages while delivering loaders, stealers, RATs, and cryptominers. The operators use GitHub Actions workflows and synthetic commit activity to make the projects look maintained, luring users who are searching for cryptocurrency and Web3 tooling into cloning and running malicious code.